Description
Jenkins before versions 2.44, 2.32.2 is vulnerable to an insufficient permission check for periodic processes (SECURITY-389). The URLs /workspaceCleanup and /fingerprintCleanup did not perform permission checks, allowing users with read access to Jenkins to trigger these background processes (that are otherwise performed daily), possibly causing additional load on Jenkins master and agents.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://jenkins.io/security/advisory/2017-02-01/
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/95956
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2611
Third Party Advisory x_refsource_confirm
https://github.com/jenkinsci/jenkins/commit/97a61a9fe55f4c16168c123f98301a5173b9fa86
Scores
CVSS v3
4.3
EPSS
0.0207
EPSS Percentile
78.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Details
CWE
CWE-358
CWE-863
Status
published
Products (5)
jenkins/jenkins
< 2.32.2
jenkins/jenkins
< 2.44
org.jenkins-ci.main/jenkins-core
0 - 2.44Maven
redhat/openshift
2.0
redhat/openshift
3.0
Published
May 08, 2018
Tracked Since
Feb 18, 2026